Crowdfunding platform Patreon suffered a major security breach yesterday with many user details - including passwords, names and addresses – being among the data that was stolen. To make matters even worse for the site, it’s been discovered that nearly 15GBs worth of the pilfered information has been leaked online.

No one has come forward to claim responsibility for the hack and the subsequent data dump, which revealed 2.3 million email addresses, passwords, donation records, and private messages. The leaked data, which was found on file-sharing sites, was inspected by security researcher Troy Hunt who told Ars Technica that it almost certainly came from Patreon servers and was “more extensive and potentially damaging to users than he previously assumed.”

"The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise," he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: "At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete."

Uh oh, looks like the Patreon dump includes messages, some with very personal info.

Patreon - which allows people to donate to online talents or charities on a monthly basis rather than with a one-off payment – said that users’ passwords were safe as they were cryptographically protected behind a 2048-bit RSA encryption key. It seems, however, that with access to the source code, the hackers have been able to significantly increase the speed at which the passwords were decrypted – much like the hackers behind last month’s Ashley Madison leak.

The breach was said to have taken place on September 28th, with the leaked data showing contents that had been generated as recently as September 24th. Patreon recommends any users to change their passwords for site and, for extra security, on any other websites that reuse the same password. The company added that it is still investigating the hack and will be hiring a security firm to conduct an internal audit.

This is what you get when your government forces you to put secret backdoors in everything.

Click to expand...

I think there are many variables to consider. It's very possible that companies don't want to pay the costs to implement and maintain proper security, don't have the means, don't fully understand security, or don't care enough about implementing it because the cost outweighs the potential damages from getting breached. It's very difficult, if not impossible, for us to know if a company is being responsible and competent in safeguarding our data. Sadly people often have little say in the matter because all the information we exchange with any big entity is now stored digitally and connected worldwide whether we like it or not, and once that information is collected, it's stored indefinitely.